21-Year-Old Bug in Kerberos Protocol Gets Patch in Windows, Linux

Two implementations of the Kerberos authentication protocol received patches this week against a vulnerability that allowed a threat actor to bypass authentication procedures.

The vulnerability was discovered by a team of three researchers, who dubbed it “Orpheus’ Lyre.”

Researchers tracked down the flaw to Kerberos versions released in 1996. The bug affects two of the three implementations of the Kerberos protocol — Heimdal Kerberosand Microsoft Kerberos. The MIT Kerberos implementation is not affected.

Orpheus’ Lyre vulnerability bypasses Kerberos authentication

Orpheus’ Lyre exploits a part of the Kerberos protocol named “tickets.” These are messages exchanged between network nodes, and are used to authenticate services and users.

Not all parts of a ticket are encrypted when sent through the network. Kerberos implementations usually rely on checking the encrypted parts of a Kerberos message to authenticate users and services.

Researchers said they found a way to force the Kerberos protocol to use the plaintext and non-encrypted part for authentication procedures.

An attacker that has compromised a company’s network or can execute a Man-in-the-Middle (MitM) attack can intercept and modify these plaintext ticket sections to bypass Kerberos authentication, and gain access to a company’s internal resources.

While this bug requires an attacker to already have compromised a machine on a network, the Orpheus’ Lyre vulnerability is dangerous regardless, because it allows an attacker to escalate his internal access.

Issue fixed in Windows, Debian, FreeBSD, Samba

Researchers have contacted projects where the Kerberos protocol was used. Microsoft patched the vulnerability in its Kerberos implementation (CVE-2017-8495) in this week’s Patch Tuesday security update.

Debian, FreeBSD, and Samba — projects using the Heimdal Kerberos implementation — have also released patches for the flaw, tracked as CVE-2017-11103. Red Hat said it uses MIT Kerberos, so RHEL users were protected all these years.

The three researchers who discovered the bug are Jeffrey Altman, founder of AuriStor, Inc., and Viktor Dukhovni and Nicolas Williams of Two Sigma Investments, LP.

The research team declined to publish in-depth technical details in order to give users more time to update their machines. More technical details will be published in the upcoming days on the Orpheus’ Lyre website.

“Note that this vulnerability is a client-side vulnerability. You must patch all affected clients,” researchers said. “You cannot patch servers to mitigate or defeat this vulnerability.”